java过滤器学习总结

    xiaoxiao2021-12-14  18

    /** * @ author StormMaybin * @ date 2016-12-03 */

    生命不息,奋斗不止!


    What’s the Filter

    Filter也称之为过滤器,它是Servlet技术中比较激动人心的技术,WEB开发人员通过Filter技术,对web服务器管理的所有web资源:例如Jsp, Servlet, 静态图片文件或静态 html 文件等进行拦截,从而实现一些特殊的功能。例如实现URL级别的权限访问控制、过滤敏感词汇、压缩响应信息等一些高级功能。

    如何使用Filter

    创建一个Filter类,实现javax.servlet.Filter接口实现doFilter()方法,进行拦截在web.xml中进行配置 package com.yiyexiaoyuan.filter; import java.io.IOException; import javax.servlet.Filter; import javax.servlet.FilterChain; import javax.servlet.FilterConfig; import javax.servlet.ServletException; import javax.servlet.ServletRequest; import javax.servlet.ServletResponse; /** * Servlet Filter implementation class TestFilter */ //实现Filter接口 public class TestFilter implements Filter { /** * Default constructor. */ public TestFilter() { // TODO Auto-generated constructor stub } /** * @see Filter#destroy() */ //Filter结束时候调用 public void destroy() { // TODO Auto-generated method stub } /** * @see Filter#doFilter(ServletRequest, ServletResponse, FilterChain) */ //拦截主体代码 public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException { //去下一个Filter chain.doFilter(request, response); } /** * @see Filter#init(FilterConfig) */ //初始化时候调用 public void init(FilterConfig fConfig) throws ServletException { // TODO Auto-generated method stub } }

    在web.xml中配置

    <filter> <display-name>TestFilter</display-name> <filter-name>TestFilter</filter-name> <filter-class>com.yiyexiaoyuan.filter.TestFilter</filter-class> </filter> <filter-mapping> <filter-name>TestFilter</filter-name> <url-pattern>/TestFilter</url-pattern> </filter-mapping>

    应用场景

    解决中文乱码的Filter
    package com.yiyexiaoyuan.filter; import java.io.IOException; import javax.servlet.Filter; import javax.servlet.FilterChain; import javax.servlet.FilterConfig; import javax.servlet.ServletException; import javax.servlet.ServletRequest; import javax.servlet.ServletResponse; import javax.servlet.http.HttpServletRequest; /** * Servlet Filter implementation class PageEncodingFilter */ public class PageEncodingFilter implements Filter { private String encoding = "UTF-8"; protected FilterConfig filterConfig; public void init(FilterConfig filterConfig) throws ServletException { this.filterConfig = filterConfig; // 本过滤器默认编码是UTF-8,但也可以在web.xml配置文件里设置自己需要的编码 if (filterConfig.getInitParameter("encoding") != null) encoding = filterConfig.getInitParameter("encoding"); } public void doFilter(ServletRequest srequset, ServletResponse sresponse, FilterChain filterChain) throws IOException, ServletException { HttpServletRequest request = (HttpServletRequest) srequset; request.setCharacterEncoding(encoding); filterChain.doFilter(srequset, sresponse); } public void destroy() { this.encoding = null; } }

    web.xml配置

    <filter> <display-name>PageEncodingFilter</display-name> <filter-name>PageEncodingFilter</filter-name> <filter-class>com.yiyexiaoyuan.filter.PageEncodingFilter</filter-class> <init-param> <param-name>encoding</param-name> <param-value>UTF-8</param-value> </init-param> </filter> <filter-mapping> <filter-name>PageEncodingFilter</filter-name> <url-pattern>/servlet/*</url-pattern> </filter-mapping>
    防止SQL注入Filter实现
    package com.yiyexiaoyuan.filter; import java.io.IOException; import java.util.Enumeration; import javax.security.auth.message.callback.PrivateKeyCallback.Request; import javax.servlet.Filter; import javax.servlet.FilterChain; import javax.servlet.FilterConfig; import javax.servlet.ServletException; import javax.servlet.ServletRequest; import javax.servlet.ServletResponse; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import net.sf.json.JSONObject; //过滤sql关键字的Filter public class SQLFilter implements Filter { public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException { HttpServletRequest req = (HttpServletRequest) request; HttpServletResponse res = (HttpServletResponse) response; // 获得所有请求参数名 Enumeration params = req.getParameterNames(); String sql = ""; while (params.hasMoreElements()) { // 得到参数名 String name = params.nextElement().toString(); // System.out.println("name===========================" + name + // "--"); // 得到参数对应值 String[] value = req.getParameterValues(name); for (int i = 0; i < value.length; i++) { sql = sql + value[i]; } } System.out.println("提交方式:"+req.getMethod()); System.out.println("被匹配字符串:" + sql); if (sqlValidate(sql)) { req.getSession().setAttribute("error_message", "别整这个啊,老实点不好吗?"); throw new RuntimeException("恶意代码注入异常"); } else { String request_uri = req.getRequestURI(); System.out.println(request_uri); chain.doFilter(request, response); } } // 校验 protected static boolean sqlValidate(String str) { str = str.toLowerCase();// 统一转为小写 // String badStr = "and|exec"; String badStr = "'|and|exec|execute|insert|select|delete|update|count|drop|chr|mid|master|truncate|char|declare|sitename|net user|xp_cmdshell|or|like|;|--|+|,|*|/"; /* * String badStr = * "'|and|exec|execute|insert|create|drop|table|from|grant|use|group_concat|column_name|" * + * "information_schema.columns|table_schema|union|where|select|delete|update|order|by|count|*|" * + "chr|mid|master|truncate|char|declare|or|;|-|--|+|,|like|//|/|%|#"; */// 过滤掉的sql关键字,可以手动添加 String[] badStrs = badStr.split("\\|"); for (int i = 0; i < badStrs.length; i++) { if (str.indexOf(badStrs[i]) != -1) { System.out.println("匹配到:" + badStrs[i]); return true; } } return false; } public void init(FilterConfig filterConfig) throws ServletException { // throw new UnsupportedOperationException("Not supported yet."); } public void destroy() { // throw new UnsupportedOperationException("Not supported yet."); } }

    web.xml配置

    <filter> <display-name>SQLFilter</display-name> <filter-name>SQLFilter</filter-name> <filter-class>com.yiyexiaoyuan.filter.SQLFilter</filter-class> </filter> <filter-mapping> <filter-name>SQLFilter</filter-name> <url-pattern>/servlet/*</url-pattern> </filter-mapping> <filter>

    生命不息,奋斗不止!

    转载请注明原文地址: https://ju.6miu.com/read-971488.html

    最新回复(0)